The SEC has been concerned with cybersecurity disclosures for many years. In 2011, guidance was issued to clarify public companies’ responsibility to disclose cybersecurity issues. The guidance requires public companies to disclose cybersecurity as a Risk Factor for companies that rely on technology, and for the disclosure of cyber-incidents that may have a material impact on the company.
Cybersecurity disclosure in the Risk Factors section has become quite routine. As the example below shows, cybersecurity is expressed as a past, present, and future risk; some examples of cyber-attacks are given, and the consequences of a breach are explained.
Google Inc. 10-K (2015-02-09)
“We experience cyber attacks of varying degrees on a regular basis. Our security measures may also be breached due to employee error, malfeasance, system errors or vulnerabilities, or otherwise. Additionally, outside parties may attempt to fraudulently induce employees, users, or customers to disclose sensitive information in order to gain access to our data or our users’ or customers’ data. Any such breach or unauthorized access could result in significant legal and financial exposure, damage to our reputation, and a loss of confidence in the security of our products and services that could potentially have an adverse effect on our business.”
Many companies, such as Anthem in the excerpt below, enhance their Risk Factors disclosure to include a description of the breach after a cyber incident has occurred.
Anthem, Inc. 10-K (2015-02-24)
“In February 2015, we reported the discovery that certain of our information technology systems had been the target of an external cyber attack, as more fully described under Note 13, “Commitments and Contingencies – Data Breach,” to our audited consolidated financial statements included in Part II, Item 8 of this Annual Report on Form 10-K.”
Further, a more detailed explanation of the effects of a cyber incident is often found in the notes to the financial statements. A popular footnote for cybersecurity information is the litigation footnote. As can be seen below, a discussion of the consequences – often in the form of litigation – and the associated cost are expounded upon in this section.
Home Depot Inc, 10-K (2015-03-26)
“In fiscal 2014, the Company recorded $63 million of pretax expenses related to the Data Breach, partially offset by $30 million of expected insurance proceeds for costs the Company believes are reimbursable and probable of recovery under its insurance coverage, for pretax net expenses of $33 million.”
“In addition, at least 57 actions have been filed in courts in the U.S. and Canada, and other claims may be asserted against the Company on behalf of customers, payment card brands, payment card issuing banks, shareholders or others seeking damages or other related relief, allegedly arising from the Data Breach. Furthermore, several state and federal agencies, including State Attorneys General, are investigating events related to the Data Breach, including how it occurred, its consequences and the Company’s responses.”
Some disclosures have even begun describing information about insurance arrangements associated with cyber breaches. Target, for instance, explained the type and amount of their coverage, as in the example below.
Target Corp 10-K (2015-03-13)
To limit our exposure to losses relating to data breach and other claims, we maintain $100 million of network-security insurance coverage, above a $10 million deductible and with a $50 million sublimit for settlements with the payment card networks. This coverage, and certain other customary business-insurance coverage, has reduced our exposure related to the Data Breach. We will pursue recoveries to the maximum extent available under the policies. Since the Data Breach, we have received $30 million from our network-security insurance carriers.”
Since Target’s most recent filing, the company has settled a lawsuit brought by customers. According to Reuters, the settlement would pay victims of the breach a cumulative $10 million. This settlement is the first of its kind, as Target will pay consumers rather than investors due to the breach. The settlement did not rise to the level of materiality for Target to disclose it in an 8-K, but it will likely be disclosed in their next quarterly filing.
Cybersecurity is still a newer topic for public companies, and it is not uncommon to see unique or unusual cybersecurity-related disclosures. One such example comes from ConnectOne Bancorp, Inc.
ConnectOne’s disclosure is unique in two ways. First, the breach was not of ConnectOne’s systems, but rather of one of its customer accounts. Second, the breach affected ConnectOne’s disclosure controls and was alluded to in management’s assessment of disclosure controls. As seen below, this external cyber-incident caused ConnectOne’s disclosure controls to be ineffective.
ConnectOne Bancorp, Inc. 10-Q (2014-11-10)
“Based upon that evaluation, the Corporation’s chief executive officer and chief financial officer concluded that, due exclusively to the event described in Note 13. Subsequent Events, and as further described below, the Corporation’s disclosure controls and procedures are not effective.”
“Note 13. Subsequent Event
On November 5, 2014, the Corporation discovered that during the fourth quarter the account of one its business customers had been the target of a fraud involving hacking of the customer’s e-mail account and subsequent unauthorized funds transfers. The fraud did not involve an intrusion of the Corporation’s computer systems. The Corporation is still investigating the matter and the after-tax charge, to be recorded during the fourth quarter of 2014, is expected to be no higher than $1.5 million. The Corporation is reviewing all available avenues of recovery, including the return of funds from recipient financial institutions and potential insurance claims.”
ConnectOne has since remedied this control deficiency. Nevertheless, what the ConnectOne example shows is that, while cybersecurity is becoming more commonplace, it is perhaps a broader threat than most anticipate. The threat to internal infrastructure is an obvious one, but the threat to external entities that must interact with internal infrastructure can be a less identifiable one.
Audit Analytics currently offers a custom database with a comprehensive list of cybersecurity breaches disclosed by US public companies. Key data includes the kind of breach (e.g., personal or financial), the estimated loss related to the incident (if disclosed), and other relevant data points. For additional information on this database, please contact Audit Analytics at 508-476-7007 or email us at firstname.lastname@example.org.